Forgot your password?
typodupeerror
Security The Courts IT

Court Rules Passwords+Secret Questions=Secure eBanking 284

Posted by samzenpus
from the nobody-knows-your-mother's-maiden-name dept.
An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."
This discussion has been archived. No new comments can be posted.

Court Rules Passwords+Secret Questions=Secure eBanking

Comments Filter:
  • good (Score:4, Interesting)

    by waddgodd (34934) on Wednesday June 08, 2011 @08:59PM (#36382486) Homepage Journal

    From a consumer perspective, the lower the bar is for "effective security measures" the better, because if an attacker breaks ineffective security measures, you're basically on the "caveat emptor" hook, meaning you failed to do due diligence, therefore any losses are yours. If the security's effective, the bank's on the hook for any losses due to theft. Think of it this way, your bank has a wooden safe, and a robber gets in, you try to sue the bank for your losses, the bank says "well, duh, we had a wooden safe, what'd you expect?", and gets off the hook, while if the bank has a steel vault, you sue, and the bank's required by fiduciary duty to cover your loss, even though it's not negligent. Kinda twisted, huh? But then again, look at the rhetoric flying around Washington about the banks, banking law is truly down the rabbit-hole.

  • by FatAlb3rt (533682) on Wednesday June 08, 2011 @09:14PM (#36382590) Homepage
    Unless the questions are like my bank's:
    Who is your favorite Disney character?
    What is your favorite color?

    You stand a good chance to get the right answer for any given account if you go with Mickey / Minnie or red / blue. How is that really security?
  • by snuf23 (182335) on Wednesday June 08, 2011 @09:20PM (#36382636)

    I find it odd that Blizzard offers more security for a World of Warcraft account than your average bank.

  • Re:This has a name (Score:4, Interesting)

    by Mashiki (184564) <mashiki.gmail@com> on Wednesday June 08, 2011 @09:28PM (#36382698) Homepage

    If there's zero case law on something. Any case law is good. Because it creates both a starting point, and a breech point for other lawyers to prove that the system is faulty. It's not bullshit, well actually it is but not in the way you think. It's bullshit that it's taken nearly 15 years for the first real case to come to light creating case law.

  • Re:One-time pads (Score:4, Interesting)

    by QuasiSteve (2042606) on Wednesday June 08, 2011 @09:40PM (#36382782)

    Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.

    I'm curious.. what is the other channel?

    Here in NL there's two major forms of online banking authorization (separate from the account login, of course), both are a challenge/response type, and both perform the challenge in the browser.

    The first one, the response is either on a paper sheet you have (which you can then move to a computer file or whatever if you want to spend some time typing it in) or is sent to your cellphone along with the amount (so that no transactions can sneak in without it being shown in the same text).

    The other one, the response is something generated on an external device - looks like a little calculator - after entering the challenge.

    In both cases, the response is also entered into the browser.

    Despite these more-or-less two-factor authorizations, I'd consider this to be a single channel.

    I'm not sure what other channel could exist either... a custom application that communicates over an SSL'd connection or secure FTP or whatever could just as well be targeted by malware authors.. perhaps even moreso considering its focused purpose.

    A true separate channel would probably be a modification of the aforementioned challenge-via-text method to also send the response via text. Or calling the bank and checking with an employee that the order as you see it on your screen is indeed the order pending and then proceed to provide the response to the presented challenge. The former could be automated, the latter.. not so much?

    So I'm curious what the 2nd channel in your banking situation is.

  • by definate (876684) on Wednesday June 08, 2011 @10:07PM (#36382960)

    I always answer those questions, with a different password. This results in many people going, "LOL So your mothers maiden name is jks)*8h9*H*(BY?"

    This is when those are used for verbal authentication over the phone. Then on top of this, I just need some reasonable password management.

    All good!

  • Re:One-time pads (Score:3, Interesting)

    by Dodgy G33za (1669772) on Wednesday June 08, 2011 @10:09PM (#36382984)

    Don't underestimate the power of the money that can be made by subverting online banking.

    If the machine on which you do banking is not secure it becomes very hard to secure a transaction unless you have a true second channel. For example confirm a transaction with an SMS or phone call, although with smart phones this can no longer be guaranteed to be a second channel.

    The latest generation of man-in-the-browser malware sits between the user and the bank and can alter transactions that the user has legitimately entered and authorised, as well as hide the evidence of the results.

    At a recent AUScert conference in Australia we heard that such malware can also add additional form fields so that the user confirms their phone number, and use that as a vector to infect their smartphone by exploiting smartphone OS vulnerabilities. Once they have both PC and phone infected, it is game over as far as two factor authentication with the phone is concerned.

    This problem can be solved in a very simple (technically, not politically) way, and that is to clean up international banking so that the money trail can be followed. Make the bank that failed to identify the one that ends up with the money liable for repayment (and that includes the likes of Western Union), and in the event of a failed bank make the country in which the bank is registered liable.

    Failing that make operating system and software manufacturers liable for security flaws in their products. We do it with cars, so why not software?

  • Re:One-time pads (Score:4, Interesting)

    by AK Marc (707885) on Wednesday June 08, 2011 @10:11PM (#36383004)
    I have my bank send me a text with a code I put in the browser for online transactions above a certain level. Sure, it all goes through the browser at some point, but a one-time use code texted to my phone that won't work for another transaction even if someone was at my computer watching everything I put in will not allow them to then compromise my account at all. I could bank with that on a public computer and nobody could get anything out of my account.
  • by Anonymous Coward on Wednesday June 08, 2011 @11:00PM (#36383330)

    I was doing that with my bank (the 'mothers maiden name' answer I had, while technically correct, wasn't the obvious one), until one day when I had to call in and was informed that my answer was wrong. My mom has an account at the same bank, and somehow they had been able to 'fix' it; I have not been able to change it back. Nor did I ever get an answer as to why the change was made.

  • What are banks for? (Score:5, Interesting)

    by taucross (1330311) on Wednesday June 08, 2011 @11:15PM (#36383448)
    If banks can't protect our money, and aren't liable when it goes missing, then what are banks for?
  • Here in Sweden (Score:4, Interesting)

    by jools33 (252092) on Thursday June 09, 2011 @05:05AM (#36385264)

    Here in Sweden - my bank uses a keypad - where the user first must key in a pincode to activate the device. Then to login - you must key in your national security number (userid) - from this the bank generates a code - I key this code into my unlocked keypad - and get a return code. This is I guess similar to the RSA key generation (the device is not supplied by RSA incidentally) - except that the whole activity is locked down by a 4 key pin in my handheld device - which I guess is the key to the code generation. My bank thinks this security is impregnable (the last time I questioned it they laughed at me) - but after the recent RSA hack I really wonder if this is the case. If the generation algorithm becomes common knowledge (ie the security provider is hacked) - then all that is needed is to identify the 4 digit pin code.

Make sure your code does nothing gracefully.

Working...